Merge pull request #3437 from esl/auth-config-spec

Move auth config spec to auth backend modules
esl · Dec 8, 2021 · e1e1e08 · e1e1e08
2 parents a36d044 + dc96af3
commit e1e1e08
Show file tree

Hide file tree

Showing 13 changed files with 223 additions and 187 deletions.
diff --git a/src/auth/ejabberd_auth.erl b/src/auth/ejabberd_auth.erl
@@ -46,7 +46,8 @@
          does_method_support/2,
          remove_user/1,
          supports_sasl_module/2,
-         entropy/1
+         entropy/1,
+         config_spec/1
         ]).
 
 -export([check_digest/4]).
@@ -389,6 +390,10 @@ entropy(IOList) ->
             length(InputList) * math:log(lists:sum(Set))/math:log(2)
     end.
 
+-spec config_spec(atom()) -> mongoose_config_spec:config_section().
+config_spec(Method) ->
+    mongoose_gen_auth:config_spec(auth_method_to_module(Method)).
+
 %%%----------------------------------------------------------------------
 %%% Internal functions
 %%%----------------------------------------------------------------------

diff --git a/src/auth/ejabberd_auth_anonymous.erl b/src/auth/ejabberd_auth_anonymous.erl
@@ -28,6 +28,7 @@
 
 -export([start/1,
          stop/1,
+         config_spec/0,
          register_connection/5,
          unregister_connection/5,
          session_cleanup/5
@@ -56,6 +57,8 @@
 -include("mongoose.hrl").
 -include("jlib.hrl").
 -include("session.hrl").
+-include("mongoose_config_spec.hrl").
+
 -record(anonymous, {us  :: jid:simple_bare_jid(),
                     sid :: ejabberd_sm:sid()
                    }).
@@ -82,6 +85,16 @@ stop(HostType) ->
     ejabberd_hooks:delete(session_cleanup, HostType, ?MODULE, session_cleanup, 50),
     ok.
 
+-spec config_spec() -> mongoose_config_spec:config_section().
+config_spec() ->
+    #section{
+       items = #{<<"allow_multiple_connections">> => #option{type = boolean},
+                 <<"protocol">> => #option{type = atom,
+                                           validate = {enum, [sasl_anon, login_anon, both]}}
+                },
+       format_items = map
+      }.
+
 %% @doc Return true if multiple connections have been allowed in the config file
 %% defaults to false
 -spec allow_multiple_connections(mongooseim:host_type()) -> boolean().

diff --git a/src/auth/ejabberd_auth_dummy.erl b/src/auth/ejabberd_auth_dummy.erl
@@ -3,6 +3,7 @@
 %% API
 -export([start/1,
          stop/1,
+         config_spec/0,
          check_password/4,
          check_password/6,
          authorize/1,
@@ -24,6 +25,7 @@
 -ignore_xref([scram_passwords/0]).
 
 -include("mongoose.hrl").
+-include("mongoose_config_spec.hrl").
 
 %%%----------------------------------------------------------------------
 %%% API
@@ -37,6 +39,16 @@ start(_HostType) ->
 stop(_HostType) ->
     ok.
 
+-spec config_spec() -> mongoose_config_spec:config_section().
+config_spec() ->
+    #section{
+       items = #{<<"base_time">> => #option{type = integer,
+                                            validate = non_negative},
+                 <<"variance">> => #option{type = integer,
+                                           validate = positive}},
+       format_items = map
+      }.
+
 authorize(Creds) ->
     HostType = mongoose_credentials:host_type(Creds),
     Opts = mongoose_config:get_opt([{auth, HostType}, dummy], #{}),

diff --git a/src/auth/ejabberd_auth_external.erl b/src/auth/ejabberd_auth_external.erl
@@ -31,6 +31,7 @@
 
 -export([start/1,
          stop/1,
+         config_spec/0,
          set_password/4,
          authorize/1,
          try_register/4,
@@ -49,6 +50,7 @@
          check_password/6]).
 
 -include("mongoose.hrl").
+-include("mongoose_config_spec.hrl").
 
 %%%----------------------------------------------------------------------
 %%% API
@@ -65,9 +67,21 @@ start(HostType) ->
             ok
     end.
 
+-spec stop(mongooseim:host_type()) -> ok.
 stop(HostType) ->
     extauth:stop(HostType).
 
+-spec config_spec() -> mongoose_config_spec:config_section().
+config_spec() ->
+    #section{
+       items = #{<<"instances">> => #option{type = integer,
+                                            validate = positive},
+                 <<"program">> => #option{type = string,
+                                          validate = non_empty}
+                },
+       required = [<<"program">>],
+       format_items = map
+      }.
 
 -spec check_cache_last_options(mongooseim:host_type()) -> 'cache' | 'no_cache'.
 check_cache_last_options(HostType) ->

diff --git a/src/auth/ejabberd_auth_http.erl b/src/auth/ejabberd_auth_http.erl
@@ -13,6 +13,7 @@
 %% External exports
 -export([start/1,
          stop/1,
+         config_spec/0,
          supports_sasl_module/2,
          set_password/4,
          authorize/1,
@@ -28,7 +29,7 @@
          check_password/6]).
 
 -include("mongoose.hrl").
--include("scram.hrl").
+-include("mongoose_config_spec.hrl").
 
 -type http_error_atom() :: conflict | not_found | not_authorized | not_allowed.
 -type params() :: #{luser := jid:luser(),
@@ -48,6 +49,13 @@ start(_HostType) ->
 stop(_HostType) ->
     ok.
 
+-spec config_spec() -> mongoose_config_spec:config_section().
+config_spec() ->
+    #section{
+       items = #{<<"basic_auth">> => #option{type = string}},
+       format_items = map
+      }.
+
 -spec supports_sasl_module(mongooseim:host_type(), cyrsasl:sasl_module()) -> boolean().
 supports_sasl_module(_HostType, cyrsasl_plain) -> true;
 supports_sasl_module(HostType, cyrsasl_digest) ->  not mongoose_scram:enabled(HostType);

diff --git a/src/auth/ejabberd_auth_jwt.erl b/src/auth/ejabberd_auth_jwt.erl
@@ -31,6 +31,7 @@
 
 -export([start/1,
          stop/1,
+         config_spec/0,
          authorize/1,
          check_password/4,
          check_password/6,
@@ -39,8 +40,11 @@
          supported_features/0
         ]).
 
+%% Config spec callbacks
+-export([process_jwt_secret/1]).
 
 -include("mongoose.hrl").
+-include("mongoose_config_spec.hrl").
 
 %%%----------------------------------------------------------------------
 %%% API
@@ -57,6 +61,31 @@ stop(_HostType) ->
     persistent_term:erase(jwt_secret),
     ok.
 
+-spec config_spec() -> mongoose_config_spec:config_section().
+config_spec() ->
+    #section{
+       items = #{<<"secret">> => jwt_secret_config_spec(),
+                 <<"algorithm">> => #option{type = binary,
+                                            validate = {enum, algorithms()}},
+                 <<"username_key">> => #option{type = atom,
+                                               validate = non_empty}
+                },
+       required = all,
+       format_items = map
+      }.
+
+jwt_secret_config_spec() ->
+    #section{
+       items = #{<<"file">> => #option{type = string,
+                                       validate = non_empty},
+                 <<"env">> => #option{type = string,
+                                      validate = non_empty},
+                 <<"value">> => #option{type = string}},
+       process = fun ?MODULE:process_jwt_secret/1
+      }.
+
+process_jwt_secret([V]) -> V.
+
 -spec supports_sasl_module(binary(), cyrsasl:sasl_module()) -> boolean().
 supports_sasl_module(_, Module) -> Module =:= cyrsasl_plain.
 
@@ -143,3 +172,8 @@ get_jwt_secret(HostType) ->
             {ok, JWTSecret} = file:read_file(Path),
             JWTSecret
     end.
+
+algorithms() ->
+    [<<"HS256">>, <<"RS256">>, <<"ES256">>,
+     <<"HS386">>, <<"RS386">>, <<"ES386">>,
+     <<"HS512">>, <<"RS512">>, <<"ES512">>].
diff --git a/src/auth/ejabberd_auth_ldap.erl b/src/auth/ejabberd_auth_ldap.erl
@@ -36,6 +36,7 @@
 
 -export([start/1,
          stop/1,
+         config_spec/0,
          start_link/1,
          set_password/4,
          authorize/1,
@@ -54,7 +55,7 @@
 
 -ignore_xref([start_link/1]).
 
--include("mongoose.hrl").
+-include("mongoose_config_spec.hrl").
 -include("eldap.hrl").
 
 -record(state,
@@ -99,6 +100,25 @@ stop(HostType) ->
     ejabberd_sup:stop_child(Proc),
     ok.
 
+-spec config_spec() -> mongoose_config_spec:config_section().
+config_spec() ->
+    #section{
+       items = #{<<"pool_tag">> => #option{type = atom,
+                                           validate = non_empty},
+                 <<"bind_pool_tag">> => #option{type = atom,
+                                                validate = non_empty},
+                 <<"base">> => #option{type = binary},
+                 <<"uids">> => #list{items = mongoose_ldap_config:uids()},
+                 <<"filter">> => #option{type = binary,
+                                         validate = ldap_filter},
+                 <<"dn_filter">> => mongoose_ldap_config:dn_filter(),
+                 <<"local_filter">> => mongoose_ldap_config:local_filter(),
+                 <<"deref">> => #option{type = atom,
+                                        validate = {enum, [never, always, finding, searching]}}
+                },
+       format_items = map
+      }.
+
 -spec start_link(HostType :: mongooseim:host_type()) -> {ok, pid()} | {error, any()}.
 start_link(HostType) ->
     Proc = gen_mod:get_module_proc(HostType, ?MODULE),
@@ -448,10 +468,7 @@ parse_options(HostType) ->
     RawUserFilter = maps:get(filter, Opts, <<>>),
     UserFilter = eldap_utils:process_user_filter(UIDs, RawUserFilter),
     SearchFilter = eldap_utils:get_search_filter(UserFilter),
-    {DNFilter, DNFilterAttrs} = case maps:find(dn_filter, Opts) of
-                                    {ok, DNF} -> DNF;
-                                    error -> {undefined, []}
-                                end,
+    {DNFilter, DNFilterAttrs} = maps:get(dn_filter, Opts, {undefined, []}),
     LocalFilter = maps:get(local_filter, Opts, undefined),
     #state{host_type = HostType,
            eldap_id = {HostType, EldapID},

diff --git a/src/auth/ejabberd_auth_rdbms.erl b/src/auth/ejabberd_auth_rdbms.erl
@@ -31,6 +31,7 @@
 
 -export([start/1,
          stop/1,
+         config_spec/0,
          authorize/1,
          set_password/4,
          try_register/4,
@@ -56,7 +57,7 @@
 -import(mongoose_rdbms, [prepare/4, execute_successfully/3]).
 
 -include("mongoose.hrl").
--include("scram.hrl").
+-include("mongoose_config_spec.hrl").
 
 -define(DEFAULT_SCRAMMIFY_COUNT, 10000).
 -define(DEFAULT_SCRAMMIFY_INTERVAL, 1000).
@@ -74,13 +75,22 @@
 %%% API
 %%%----------------------------------------------------------------------
 
+-spec start(moongooseim:host_type()) -> ok.
 start(HostType) ->
     prepare_queries(HostType),
     ok.
 
+-spec stop(moongooseim:host_type()) -> ok.
 stop(_HostType) ->
     ok.
 
+-spec config_spec() -> mongoose_config_spec:config_section().
+config_spec() ->
+    #section{
+       items = #{<<"users_number_estimate">> => #option{type = boolean}},
+       format_items = map
+      }.
+
 -spec supports_sasl_module(mongooseim:host_type(), cyrsasl:sasl_module()) -> boolean().
 supports_sasl_module(_HostType, cyrsasl_plain) -> true;
 supports_sasl_module(HostType, cyrsasl_digest) -> not mongoose_scram:enabled(HostType);

diff --git a/src/auth/ejabberd_auth_riak.erl b/src/auth/ejabberd_auth_riak.erl
@@ -18,11 +18,13 @@
 -behaviour(mongoose_gen_auth).
 
 -include("mongoose.hrl").
+-include("mongoose_config_spec.hrl").
 -include("scram.hrl").
 
 %% API
 -export([start/1,
          stop/1,
+         config_spec/0,
          supports_sasl_module/2,
          supported_features/0,
          set_password/4,
@@ -46,7 +48,15 @@ start(_HostType) ->
 
 -spec stop(mongooseim:host_type()) -> ok.
 stop(_HostType) ->
-ok.
+    ok.
+
+-spec config_spec() -> mongoose_config_spec:config_section().
+config_spec() ->
+    #section{
+       items = #{<<"bucket_type">> => #option{type = binary,
+                                              validate = non_empty}},
+       format_items = map
+      }.
 
 -spec supports_sasl_module(mongooseim:host_type(), cyrsasl:sasl_module()) -> boolean().
 supports_sasl_module(_HostType, cyrsasl_plain) -> true;

diff --git a/src/auth/mongoose_gen_auth.erl b/src/auth/mongoose_gen_auth.erl
@@ -3,6 +3,7 @@
 
 -export([start/2,
          stop/2,
+         config_spec/1,
          supports_sasl_module/3,
          authorize/2,
          check_password/5,
@@ -28,6 +29,8 @@
 
 -callback stop(HostType :: mongooseim:host_type()) -> ok.
 
+-callback config_spec() -> mongoose_config_spec:config_section().
+
 -callback supports_sasl_module(HostType :: mongooseim:host_type(),
                                Module :: cyrsasl:sasl_module()) ->
     boolean().
@@ -103,7 +106,8 @@
                          DigestGen :: fun()) -> boolean().
 
 %% See the API function definitions below for default values
--optional_callbacks([try_register/4,
+-optional_callbacks([config_spec/0,
+                     try_register/4,
                      get_registered_users/3,
                      get_registered_users_number/3,
                      get_password/3,
@@ -115,6 +119,8 @@
                      check_password/4,
                      check_password/6]).
 
+-include("mongoose_config_spec.hrl").
+
 %% API
 
 -spec start(ejabberd_auth:authmodule(), mongooseim:host_type()) -> ok.
@@ -125,6 +131,13 @@ start(Mod, HostType) ->
 stop(Mod, HostType) ->
     Mod:stop(HostType).
 
+-spec config_spec(ejabberd_auth:authmodule()) -> mongoose_config_spec:config_section().
+config_spec(Mod) ->
+    case is_exported(Mod, config_spec, 0) of
+        true -> Mod:config_spec();
+        false -> #section{items = #{}}
+    end.
+
 -spec supports_sasl_module(ejabberd_auth:authmodule(), mongooseim:host_type(),
                            cyrsasl:sasl_module()) -> boolean().
 supports_sasl_module(Mod, HostType, SASLModule) ->